Hi Ralf:

In message <20190623171201.362E14C0411@itserver6.localdomain>,
"John P. Rouillard" writes:
>In message <1561294337.71.0.360196406483.issue2551048@roundup.psfhosted.org>,
>Ralf Schlatterbeck writes:
>>We should either come up with a fix or document this in the REST-API
>>documentation.

I have a changed to the code so that an error is thrown if you try to
access WEB_SECRET_KEY. Since the rest interface is all that does that
at the moment, this trips when using the rest interface.

The rest client sees the error:

    {
	"error": {
	    "status": 400,
	    "msg": "Sun Jun 23 18:02:03 2019: An error occurred. Please check the server log for more information."
	}
    }

The traceback error in the server log/emailed to the admin is:

    ...
    File "/home/rouilj/local/lib/python3.4/site-packages/roundup/configuration.py", line 197, in get
      raise OptionUnsetError(self)
  roundup.configuration.OptionUnsetError: WEB_SECRET_KEY is not set and has no default

That at least makes the misconfig obvious.

I don't like it though. What I really want is the ability to get a
secret key automatically generated when running roundup-admin with:

   install
   genconfig or
   updateconfig

if secret_key is not set. This key is not something that the
user/admin should care about.  But I can't figure out how to make that
work at the configuration class level.

If secret_key is not present in the config file and I supply a default
value in the definition of secret_key, we end up without an error and
a continually changing secret_key. I.E. your bug.

If I set the default value to NODEFAULT I don't get an automatic
secret_key but we do get the error above.

>One of two things should be happening here:
>
>  1) If that option is not set in config.ini, there should be a
>     failure on startup. Similar to not setting TRACKER_WEB.
>     Is secret_key in your config.ini set to nothing:
>       [web]
>       secret_key =
>     or is secret_key not present in your config.ini? If not present,
>     I can see how this could happen, but I am not sure how to fix it. 

The failure is triggered if the config has secret_key set to nothing in
config.ini.

>  2) That key should be set to a constant value when running:
>
>      roundup-admin -i . updateconfig config.ini
>
>     as specified in doc/upgrading.txt ...

My guess is you didn't run this and as a result have a hidden problem.

You suggested documenting this in the rest doc. Would adding something
like this at the end of the "Enabling the REST API" section work:

  Make sure that config.ini has a secret_key option defined in the web
  section of config.ini. If you followed the upgrading directions, it
  is done automatically when running "roundup-admin ... updateconfig
  config.ini". If you are installing a new tracker with "roundup-admin
  ... install" the secret_key value is automatically set to some
  random value. If this is not set, you will see different etag values
  for the same unchanged item on each REST call.

I would prefer to document this and leve the existing code as is as I
think it is more user friendly provided the update instructions to run
"roundup-admin .... updateconfig" works.

Thoughts?